Description
HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code.  This may allow the attacker steal cookie-based authentication credentials and comprise user's account then launch other attacks.
Published: 2026-03-19
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site scripting enabling arbitrary script execution and theft of authentication credentials
Action: Immediate Patch
AI Analysis

Impact

HCL Connections is vulnerable to a cross-site scripting (XSS) flaw that allows an attacker to inject and execute arbitrary script code in the browser of an unsuspecting user. By doing so, the attacker can steal cookie‑based authentication credentials, compromise the user’s account, and potentially launch additional attacks from that compromised session. The vulnerability arises from insufficient input validation leading to unauthenticated script execution, a classic XSS weakness (CWE‑79).

Affected Systems

Affected systems include HCL Software’s Connections product version 8.0 and all its cumulative releases 1 through 12, as enumerated by the provided CPE strings. Any installation of HCL Connections 8.0 in these releases is susceptible to the XSS vulnerability.

Risk and Exploitability

The CVSS score of 5.4 indicates a medium‑to‑high severity impact, with an EPSS score of less than 1% suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attack vector is inferred to be web‑based, as the flaw is triggered by crafted HTTP requests to the HCL Connections web interface, leading to client‑side script execution. Given the aforementioned data, organizations using these versions should evaluate the risk promptly.

Generated by OpenCVE AI on March 19, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Review the HCL Advisory KB0129107 and apply the latest patch or upgrade to a fixed version of HCL Connections 8.0
  • If a patch cannot be applied immediately, disable or restrict any features or input paths that allow user‑supplied data to be rendered without proper sanitization
  • Monitor for signs of XSS exploitation via security logs or user reports to detect early compromise

Generated by OpenCVE AI on March 19, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech
Hcltech connections
CPEs cpe:2.3:a:hcltech:connections:8.0:-:*:*:*:*:*:*
cpe:2.3:a:hcltech:connections:8.0:cumulative_release10:*:*:*:*:*:*
cpe:2.3:a:hcltech:connections:8.0:cumulative_release11:*:*:*:*:*:*
cpe:2.3:a:hcltech:connections:8.0:cumulative_release12:*:*:*:*:*:*
cpe:2.3:a:hcltech:connections:8.0:cumulative_release1:*:*:*:*:*:*
cpe:2.3:a:hcltech:connections:8.0:cumulative_release2:*:*:*:*:*:*
cpe:2.3:a:hcltech:connections:8.0:cumulative_release3:*:*:*:*:*:*
cpe:2.3:a:hcltech:connections:8.0:cumulative_release4:*:*:*:*:*:*
cpe:2.3:a:hcltech:connections:8.0:cumulative_release5:*:*:*:*:*:*
cpe:2.3:a:hcltech:connections:8.0:cumulative_release6:*:*:*:*:*:*
cpe:2.3:a:hcltech:connections:8.0:cumulative_release7:*:*:*:*:*:*
cpe:2.3:a:hcltech:connections:8.0:cumulative_release8:*:*:*:*:*:*
cpe:2.3:a:hcltech:connections:8.0:cumulative_release9:*:*:*:*:*:*
Vendors & Products Hcltech
Hcltech connections

Thu, 19 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
Description HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code.  This may allow the attacker steal cookie-based authentication credentials and comprise user's account then launch other attacks.
Title HCL Connections is vulnerable to cross-site scripting (XSS)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Hcltech Connections
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-03-19T13:30:30.937Z

Reserved: 2026-01-05T16:08:02.277Z

Link: CVE-2026-21788

cve-icon Vulnrichment

Updated: 2026-03-19T13:30:27.542Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T09:16:16.950

Modified: 2026-03-19T18:42:41.013

Link: CVE-2026-21788

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:15:10Z

Weaknesses